From LedHed's Wiki
Jump to: navigation, search

The following information can be used to protect an email account in such a way that only messages from whitelisted (approved) senders will be accepted.
This is great for email accounts for young children.

All of this information was derived from: A child-safe SMTP whitelist with Postfix and MySQL
Special Thanks to Scott Merrill for his excellent HowTo.


Postfix MySQL Maps

Create 2 files so that Postfix can query MySQL

protected_users.cf

dbname = mail
hosts = localhost
user = postfix
password = ********
table = protected_users
select_field = class
where_field = recipient

whitelist.cf

dbname = mail
hosts = localhost
user = postfix
password = ********
table = whitelist
select_field = action
where_field = sender


NOTE: You should make sure that these files are NOT world readable because they contain mysql logon/password information!!!

chmod 640 protected_users.cf whitelist.cf


Main.cf

Edit /etc/postfix/main.cf with your favorite editor.

SMTPD_RECIPIENT_RESTRICTIONS

Add this line to the smtpd_recipient_restrictions section.

mysql:/etc/postfix/protected_users.cf

SMTPD_RESTRICTION_CLASSES

Create a restriction class. Add these lines anywhere in main.cf

smtpd_restriction_classes = whitelist
whitelist = check_sender_access mysql:/etc/postfix/whitelist.cf, reject


MySQL

Create the 2 tables needed by postfix.

Protected Users Table

CREATE TABLE `protected_users` (
`recipient` VARCHAR( 50 ) NOT NULL ,
`class` VARCHAR( 10 ) NOT NULL,
UNIQUE ( `recipient` )
);

Whitelist Table

CREATE TABLE `whitelist` (
`sender` VARCHAR( 50 ) NOT NULL ,
`action` VARCHAR( 2 ) NOT NULL ,
UNIQUE ( `sender` )
);

The SELECT, INSERT, and DELETE privileges must be granted to which ever user will be accessing these tables.
Use the following mysql statement as an example.

GRANT SELECT,INSERT,DELETE ON mail.protected_users, mail.whitelist TO SomeUser@localhost IDENTIFIED BY '********';

Obviously SomeUser = the MySQL user that you will be using to connect to the Database and ******** = the password for this user.